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O ■ Abstract 

(N 

This note presents a quantum protocol for private information retrieval, in the single-server case 
and with information-theoretical privacy, that has (9(^/n)-qubit communication complexity, where n 
denotes the size of the database. In comparison, it is known that any classical protocol must use 
0^ , n(n) bits of communication in this setting. 

(N 

^ ■ 1 Introduction 

Private information retrieval deals with the design and the analysis of protocols that allow a user to 
j^ . retrieve an item from a server without revealing which item it is retrieving. This field, introduced in a 

^ \ seminal paper by Chor, Kushilevitz, Goldreich, and Sudan [.CKGS98,I . has been the subject of intensive 

^^' research due to the growing ubiquity of public databases. Examples of applications include ensuring 

consumer privacy in e-commerce transactions or reading webpages on the Internet without revealing the 

user's preferences. 

In the case of a single server and of information-theoretical privacy, which is the focus of this note, 
OO . private information retrieval can be described as follows. The server has a database A = (a^a'^, • • • ,a^) G 

Z^, where £ = {0, 1 }'^ is a set of items represented as r-bit strings, and the user has an index / G { 1 ,...,£} . 

A private information retrieval protocol is a (classical or quantum) communication protocol between the 



00 
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Q ■ server and the user such that, when the user and the server both follow the protocol, the user always out- 

puts the item a' and the server gets no information about the index /, in the following sense. Let Vs{^,i) 
denote the server's view of the communication generated by the protocol when the server has input A 
and the user has input /. The privacy condition is that, for any database A G Z^ and any two indexes 

^ . /, j G {1, . . . ,^}, the views V5(A,/) and Vs{^,i) are identical. Note that, while several subtleties arise 

H \ when trying to formally define the server's view in an arbitrary quantum protocol, the above description 

will be sufficient for our purpose due to the limited interaction between the server and the user in the 
quantum protocols described in this note. 

It is easy to show that, classically, downloading the whole database is essentially optimal: any clas- 
sical protocol must communicate a number of bits linear in the size of the database IICKGS98I . The 
communication complexity of quantum protocols for private information retrieval has first been inves- 
tigated by Kerenidis and de Wolf IIKdW04al . Their work focused on two-message quantum protocols, 
and established a connection with locally decodable codes and random access codes. In particular it was 
proved that, for a single server, any private two-message quantum protocol must use a linear amount of 
communication. This note shows that this lower bound does not hold for quantum protocols using more 
than two messages and describes how to construct a three-message quantum protocol for private infor- 
mation retrieval with sublineai" communication complexity, thus breaking for the first time the linear 
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barrier in the single-server and information-theoretical privacy setting. Our main result is the following 
theorem. 

Theorem 1. Let i and r be any positive integers. There exists a private information retrieval quantum 
protocol that, for any database A G Z^ with £ = {0, 1}'', uses 2i + 2r qubits of communication. 

Since the overall size of the database is £r bits, Theorem [T] gives a quadratic improvement over 
classical protocols and two-message quantum protocols whenever i + r = 0{y/Tr), for example when 
i = &{r). This quadratic improvement can actually be obtained for any values of £ and r: the idea is 
to decompose the database into about \/£r blocks, each of size about \/lr bits. To illustrate this, let us 
consider a binary database A = {a^ ,... ,a^) when i = s^ for some positive integer s. We construct the 
database B = (bV . . ,b') such that, for each k£{\,... ,s}, the A:-th block is b*^ = (a(*^"^)'+\ . . .,«'=•') G 
{0, 1}*. Note that the bit a' is contained in the block b^ with j = [//s]. By running the protocol of 
Theorem \T\ where, as inputs, the server has database B and the user has index j, the user is able to 
recover the whole block b^, and thus the bit a', using 0{s) qubits of communication. 

We stress that this note considers only the setting where the parties do not deviate from the pro- 
tocol, as often assumed in works focusing on algorithmic or complexity-theoretic aspects of private 
information retrieval. While this restriction may reduce the applicability of our result, we believe that it 
nevertheless illustrates the subtle interplay of interaction and quantum information in protecting privacy. 
Indeed, even in this setting, a linear amount of communication is needed for classical protocols and for 
two-message quantum protocols. 

Other related works. Several other aspects of quantum protocols for private information retrieval 
have been investigated. The case of multiple servers has been studied in IIKdW04al IKdW04bl . while 
the case of symmetric private information retrieval, where the server's privacy is also taken into con- 
sideration, has been studied in IIKdW04bl IGLM081 IJRS09.I . Privacy issues in quantum communication 
complexity have been studied in IIKla04ll as well. Let us mention that quantum protocols for symmetric 
private information retrieval are also studied under the name of quantum oblivious transfer protocols, 
especially when the server and the user may deviate from the protocol (i.e., when considering maUcious 
parties). 

2 Proof of Theorem [I] 

We suppose that the reader is familiar with quantum computation and refer to, e.g., UNCOOII for an 
introduction to this field. Let us first describe some of our notations. Given two bits a,b £ {0, 1}, we 
write their parity as a(Bb. For any two elements u= {u\,...,Ur) and v = (vi,. . . ,Vr) in £ = {0, l}*", let 
us write u-v = wivi © •• -©m^v^ andu©v= (mi ©vi,. .. ,M;.©v,-). Note that u-vis a bit and u© vis an 
element of £. Our protocol will use the Pauli gate 

Z:= I {-mz){z\ 
ze{o,i} 

acting on one qubit and the Quantum Fourier Transform 

QFT:=-i= £(-iny)(z| 
V 1^1 y.zei: 

acting on r qubits. It will also use the gates 

CNOT^R'^f^^) := £ |y)R,|z©y)R,(y|R.(z|R, 

U^'^^ := I |y>R,|zeb-y)Q(y|R.(z|Q, 

yGZ,zG{0,l} 



where Ri and R2 denote r-qubit registers, Q denotes a one-qubit register, and b is any element in Z. 
We now present the proof of Theorem [T] 

Proof of Theorem\l\ The protocol uses 1 + 2 quantum registers: Registers R and R' each consisting of 
r qubits, and Registers Qi , . . . , Q^ each consisting of one qubit. For any database A = (a^ , . . . , a^) G T^, 
let us denote by |<I>a) the quantum state 

l<^A>:=^=Xl^)R|^)R'|x-a^)Qi---|x-a^)Q, 

in Registers (R, R', Qi, . . . , Q^). The protocol is described in Figure[T] It consists of three messages and 
uses a total amount of 21 + 2r qubits of communication. 



Server's input: A = (a' , . . . ,a^) G Z^ 
User's input: / G { 1 , . . . , ^} 

1. The server constructs the quantum state |<I>a) and sends Registers R', Qi, . . . , Q^ to the user. 

2. The user applies Z over Register Q, and sends back Registers Qi, . . . , Q^ to the server. 

3. The server applies U ^ ' , for each ^ G { 1 , . . . , ^}, and sends to the user Register R. 

4. The user applies CNOT^'^'^ ' , applies QFT over Register R, and then measures R in the computa- 
tional basis. 

Figure 1 : Quantum private information retrieval protocol. 

We first show that in this protocol the user always outputs the correct element of the database. 
Observe that, at the end of Step 2, the state is 

y^ xez 

At Step 4, just before the user performs the measurement, the state is | a' ) r 1 0) r' 1 0) q^ • • • 1 0) q^ , and mea- 
suring Register R gives the element a' with probability 1. Let us now consider the user's privacy. The 
only information about / that a server following the protocol can obtain is from Registers R, Qi , . . . , Q^ 
of the state |<I>). Since tracing out Register R' in |<I>)(<I>| gives the density matrix 

— £|x)R|x-a^)Qi---|x-a^)Q,(x|R(x-a^|Qi---(x-a%,, 

the server obtains no information about the user's input. D 

Remark. As already mentioned, in this note we only consider the case where the server follows the 
protocol. This assumption is used in the analysis of the protocol of Figure [T] in order to ensure that the 
server prepares the state |<I>a) at Step 1. Note that if, instead of |<I>a)> the server prepared for example 
the state 

l*^A> := ^^ L |x)R|0)R'|x-a^)Qi •••|x-a^)Q,, 

then it would be able to recover the index / with probability one at Step 3. 
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